How can we setup SSL/TLS using the same certificate on multiple EC2 servers

Question

After some frustrations, I was able to get SSL/TLS set up, via these instructions . I did face some error about "Missing certificate key", but I was able to fix that via re-creating the CSR file, fixing the common name to: *.opensourceroads.com .

I requested, and installed, Comodo wildcard certificate.

Everything work on development subdomain.

Now, for the production server....

First, I copied the private keys and certificate files to home directory, and set the permissions of those HOME versions to 755. This allowed me to download them from the development server and upload them to the production server, which I did.

By the way, the production server host content for www.opensourceroads.com

After doing so, I installed mod_ssl per the instructions, moved the private and certs files down to the right place, and changed their permissions and ownership back, per the tutorial.

sudo chown root:root custom.key
sudo chmod 600 custom.key
ls -al custom.key

sudo chown root:root custom.crt
sudo chmod 600 custom.crt
ls -al custom.crt

sudo chown root:root intermediate.crt
sudo chmod 644 intermediate.crt
ls -al intermediate.crt

I then change the /etc/httpd/conf.d/ssl.conf to match what's on the development server.

When I go to sudo service httpd restart , however, it doesn't restart. When I journalctl -xe I see the following lines in the log:

-- Unit httpd-init.service has begun starting up.
Jul 27 17:30:04 ip-172-31-21-209.us-east-2.compute.internal httpd-ssl-gencerts[56816]: Missing certificate key!
Jul 27 17:30:04 ip-172-31-21-209.us-east-2.compute.internal systemd[1]: httpd-init.service: Main process exited, code=exited, status=1/FAILURE
Jul 27 17:30:04 ip-172-31-21-209.us-east-2.compute.internal systemd[1]: httpd-init.service: Failed with result 'exit-code'.
Jul 27 17:30:04 ip-172-31-21-209.us-east-2.compute.internal systemd[1]: Failed to start One-time temporary TLS key generation for httpd.service.
-- Subject: Unit httpd-init.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit httpd-init.service has failed.
--
-- The result is failed.
Jul 27 17:30:04 ip-172-31-21-209.us-east-2.compute.internal systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit httpd.service has begun starting up.
Jul 27 17:30:04 ip-172-31-21-209.us-east-2.compute.internal systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Jul 27 17:30:04 ip-172-31-21-209.us-east-2.compute.internal systemd[1]: httpd.service: Failed with result 'exit-code'.
Jul 27 17:30:04 ip-172-31-21-209.us-east-2.compute.internal systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit httpd.service has failed.
--
-- The result is failed.
Jul 27 17:30:04 ip-172-31-21-209.us-east-2.compute.internal sudo[56802]: pam_unix(sudo:session): session closed for user root

Somehow, it can't find the certificate key !! I re-check the key file specified by configuration line SSLCertificateKeyFile /etc/pki/tls/private/custom.key for existence: ls -al /etc/pki/tls/private/custom.key . It exists, with permission 600.

I don't know what I'm doing wrong. Will I have to create different private key for this server, and/or re-request the certificate from the CA?

Answer 1

I was able to get it to work.

How?

I have been saving this as a last-resort method of debugging the issue, given how much work I had to put in it, but I tried the following:

• start a new test EC2 server, install httpd and mod_ssl on it, and repeat everything I attempted on the production server.

I did so, and Route53'd that server to test subdomain.

It worked.

But why ?

The immediate hypothesis that popped in my mind: my Comodo PositiveSSL wildcard certificate somehow wasn't compatible with the www subdomain.

But before I was done for tonight, I decided to look further. I looked back at my EC2 dashboard, and realized that the development server and the test server were in two different availability zones, with two different first IP address octets !

Development server is in us-east-2b , whereas the test was in us-east-2a .

OK, now what if I try create a new production server? (Thank dog I don't have any business logic on the production server yet!)

I spin one up. Rinse. Lather. Repeat.

I Route53 the www subdomain to it, and do everything to it that I tried on the "old" production server.

It works!!

WHY?!

I go back to that EC2 dashboard, and I note that it is also in different availability zone than the development server, with different first IP address octant as well.

idk why (enlighten me, AWS gods,.) but it seem that if two servers are to have the same third-party certificate, they must be in different availability zones.

Answer 2

Please check the permissions of the folder /etc/pki/tls/private/ The folder should at least have read and execute permissions set.

Does the webserver run under a specific user, for example www-data ?

Answer 3

You must write codes below on the terminal

Step 1:

 rm -f /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt

Step 2:

sudo systemctl start httpd && sudo systemctl enable httpd

Step 3:

systemctl status httpd.service